{"id":4626,"date":"2025-09-02T07:00:00","date_gmt":"2025-09-02T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=4626"},"modified":"2025-09-02T07:00:00","modified_gmt":"2025-09-02T07:00:00","slug":"88-of-cisos-struggle-to-implement-zero-trust","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=4626","title":{"rendered":"88% of CISOs struggle to implement zero trust"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Nearly nine out of every 10 security leaders have experienced significantly challenges in their zero trust implementation attempts, according to a recent report from Accenture. The comprehensive nature of zero trust deployments, the level of pushback from department heads, and the extremely long time necessary for meaningful ROI are key factors in CISOs\u2019 zero trust frustrations, say industry analysts and security specialists.<\/p>\n<p>\u201cEven implementing zero trust, a fundamental security framework, poses a significant challenge for 88% of organizations,\u201d said the <a href=\"https:\/\/www.accenture.com\/us-en\/insights\/security\/state-cybersecurity-2025\">Accenture report<\/a>. \u201cThis vulnerability extends to the physical world, with 80% unable to effectively protect their cyber-physical systems.\u201d<\/p>\n<p>A big part of the struggle is that many companies <a href=\"https:\/\/www.csoonline.com\/article\/564201\/what-is-zero-trust-a-model-for-more-effective-security.html\">define zero trust<\/a> very differently. It has never been a specification as much as a security approach, though this is not to say many CISOs haven\u2019t had <a href=\"https:\/\/www.csoonline.com\/article\/3965399\/security-leaders-shed-light-on-their-zero-trust-journeys.html\">significant success in moving the zero trust needle<\/a> at their organizations.\u00a0<\/p>\n<p>Moreover, that each enterprise environment is unique necessitates a lack of specific implementation details for zero trust, as compliance, geographies, verticals, and the nature of partners and others who need access to an organization\u2019s systems can all vary wildly, in addition to on-prem, cloud, remote site, IoT, and legacy particulars.<\/p>\n<p>\u201cIt\u2019s a strategic transformation, not a tactical deployment, and that\u2019s why we\u2019re seeing such widespread struggle across the industry,\u201d says <a href=\"https:\/\/www.tcs.com\/insights\/authors\/prashant-deo\">Prashant Deo<\/a>, the cybersecurity global practice head at Tata Consultancy Services. \u201cImplementing zero trust at the enterprise level is an uphill taskwhich can require a phased and use case centric approach as part of the zero trust journey.\u201d<\/p>\n<p>Deo argues that the zero trust mindset is fundamentally at odds with how enterprises have always approached security.<\/p>\n<p>\u201cFor decades, security was built on the premise of implicit trust within the network perimeter. The zero trust model demands a complete reversal of this thinking,\u201d Deo notes. \u201cShifting an entire organization to a \u2018never trust, always verify\u2019 culture is a significant and difficult change.\u201d<\/p>\n<p><a href=\"https:\/\/www.linkedin.com\/in\/rexbooth\/\">Rex Booth<\/a>, CISO at Sailpoint, says definitional confusion is behind a lot of the friction.<\/p>\n<p>\u201cZero trust means a variety of things to a variety of people. We don\u2019t want to gatekeep what zero trust means and offer this idealized model as \u2018This is the only way to do zero trust,\u2019\u201d he says.<\/p>\n<p><a href=\"https:\/\/www.linkedin.com\/in\/karen-andersen-1201b95\">Karen Andersen<\/a>, an identity architect with World Wide Technology, agrees with Booth about the term\u2019s ambiguous nature.<\/p>\n<p>\u201cI often think people don\u2019t know what to make of the term. Some people say it\u2019s a product, but it means different things to different people,\u201d Andersen says. \u201cI often think it can be seen as a marketing buzzword, but I do believe in the strategy behind it.\u201d<\/p>\n<p>In fact, Andersen is surprised that only 88% of security executives reported having found deploying zero trust difficult.<\/p>\n<p>\u201cI want to meet the 12% who have not found it a struggle,\u201d she quips.\u00a0<\/p>\n<h2 class=\"wp-block-heading\">The never-ending journey<\/h2>\n<p>A truly comprehensive zero trust deployment can take more than a decade to execute, Andersen says \u2014 assuming it ever gets completed.\u00a0<\/p>\n<p>\u201cWhen I explain zero trust [to senior management], I tell them that it\u2019s a strategy of a 10- to 12-year roadmap, to really build that foundation,\u201d she says. \u201cI don\u2019t think you ever get to the end of zero trust.\u201d<\/p>\n<p><a href=\"https:\/\/www.linkedin.com\/in\/salehalbualy\/\">Saleh Hamdan Al-Bualy<\/a>, who spent years as the information security manager for The Four Seasons Hotel chain, is another long-term cyber exec who is concerned about the complexity of zero trust and the shortage of concrete incentives to deliver it.<\/p>\n<p>\u201cThere is absolutely no incentive to do it,\u201d says Al-Bualy, who today he serves as the security leader of a stealth AI startup\u00a0and defines zero trust as the opposite of <a href=\"https:\/\/www.ibm.com\/docs\/en\/informix-servers\/12.10.0?topic=files-trusted-host-information\">Unix\u2019s trusted host<\/a>. \u201cIt has a slowdown effect on the business. You can\u2019t do zero trust unless you fully implement it. Until then, you won\u2019t get any of the benefits.\u201d<\/p>\n<p>Al-Bualy stresses that the only way zero trust can be successful is if it is pushed top down, from the board or CEO down to the CISO\u2019s office, similar to how generative AI has been pushed.\u00a0<\/p>\n<p>\u201cYou have to convince the board and the executive team that we need to do it for XYZ reasons,\u201d he says.<\/p>\n<p><a href=\"https:\/\/moorinsightsstrategy.com\/team\/will-townsend\/\">Will Townsend<\/a>, a VP and principal analyst for Moor Insights &amp; Strategy, says the nature of a typical CISO\u2019s compensation tends to discourage an enthusiastic zero trust deployment.<\/p>\n<p>\u201cCompensation isn\u2019t typically aligned with [zero trust] objectives. Most publicly traded companies live quarter to quarter,\u201d Townsend points out. \u201cWhat is valued are things that improve LOB productivity, the LOB\u2019s ability to monetize niche services. There is also more priority on cloud security. How do you attribute immediate ROI to improving security hygiene?\u201d<\/p>\n<p>Tata\u2019s Deo says another factor that tends to add friction to zero trust journeys is the lack of visibility throughout an enterprise\u2019s global threat landscape.<\/p>\n<p>Enterprises often have \u201cpoor visibility of data flows between subject and resource and this makes it challenging to determine the current access patterns and need of zero trust access within the enterprise,\u201d Deo says. \u201cThe ability to continuously monitor and probe for current state of user and device also proves prohibitive to adopt for real zero trust.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Nearly nine out of every 10 security leaders have experienced significantly challenges in their zero trust implementation attempts, according to a recent report from Accenture. The comprehensive nature of zero trust deployments, the level of pushback from department heads, and the extremely long time necessary for meaningful ROI are key factors in CISOs\u2019 zero trust [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":4627,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-4626","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4626"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4626"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4626\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/4627"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4626"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4626"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4626"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}